.github/workflows/ci.yml

---
name: CI

# Ensure only one job per branch.
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

on:
  push:
    branches: [master]
    tags: ["*"]
  pull_request:
    branches: [master]
    types: [opened, synchronize]

jobs:
  test:
    name: Test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4

      - name: Set up Nix
        uses: ./.github/actions/setup-nix
        with:
          cachix_auth_token: '${{ secrets.CACHIX_AUTH_TOKEN }}'

      - name: Run tests
        run: nix develop . --command make test-cov-xml

      - name: Upload test report
        if: always()
        uses: mikepenz/action-junit-report@v4
        with:
          check_name: Test report
          report_paths: '**/.junit.xml'

      - name: Upload coverage
        uses: paambaati/codeclimate-action@v8.0.0
        env:
          CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
        with:
          coverageLocations: |
            ${{ github.workspace }}/.coverage.xml:cobertura

  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4

      - name: Set up Nix
        uses: ./.github/actions/setup-nix
        with:
          cachix_auth_token: '${{ secrets.CACHIX_AUTH_TOKEN }}'

      - name: Run tests
        run: nix develop . --command make lint

  scan-ast:
    name: Scan AST security
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4

      - uses: ./.github/actions/setup-nix
        with:
          cachix_auth_token: '${{ secrets.CACHIX_AUTH_TOKEN }}'

      - name: Scan AST security
        run: nix develop . --command make scan-sec-ast

  scan-deps:
    name: Scan dependencies
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4

      - name: Set up Nix
        uses: ./.github/actions/setup-nix
        with:
          cachix_auth_token: '${{ secrets.CACHIX_AUTH_TOKEN }}'

      - name: Export dependencies
        run: go list -json -deps ./... > go.list

      - name: Run nancy
        uses: sonatype-nexus-community/nancy-github-action@main
        with:
          nancyVersion: "v1.0.41"

  pub-image:
    name: Publish Docker image
    runs-on: ubuntu-latest
    needs: [lint, test, scan-ast, scan-deps]
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4

      - name: Set up Nix
        uses: ./.github/actions/setup-nix
        with:
          cachix_auth_token: '${{ secrets.CACHIX_AUTH_TOKEN }}'

      - name: Set image tag
        run: >
          if [ "${{ github.ref_type }}" = "tag" ] && [ -n "${{ github.ref_name }}" ]; then
            echo "IMG_TAG=$(echo ${{ github.ref_name }} | sed 's/^v//')" >> ${GITHUB_ENV}
          else
            echo "IMG_TAG=latest" >> ${GITHUB_ENV}
          fi

      - name: Capture current tag for injection to binary
        if: github.ref_type == 'tag' && github.ref_name != ''
        run: echo ${{ github.ref_name }} > .tag && git add .tag

      - name: Capture current commit hash for injection to binary
        run: echo ${{ github.sha }} > .rev && git add .rev

      - name: Build and push image to registry
        run: >
          nix build .#dockerArchiveStreamer
          && ./result
          | gzip --fast
          | skopeo copy
          --dest-creds ${{ github.repository_owner }}:${{ secrets.GITHUB_TOKEN }}
          docker-archive:/dev/stdin
          docker://ghcr.io/${{ github.repository }}:${IMG_TAG}